Support for Cisco ASA firewall data in RA

Document ID : KB000023032
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: Support for Cisco ASA firewall data in RA

Question: Does RA Support Netflow Secure Event logging (NSEL) as part of Cisco ASA netflow? 

Answer: The short answer, is that we look at NSEL data when determining which flows to save, but we do not include any of that data in the reports (events or extended events). ASA devices will send a flow multiple times. They send one for flow created, flow deleted, and flow denied. The first time an ASA device sees traffic, we get a flow that says it was 'created'. There are 0 bytes in this flow, and so we discard it. If the device sees a flow that is denied by the ASA device due to an ACL or some other reason, then we get a 'flow denied' flow. We also discard this flow because we don't report on traffic that is being blocked. Finally, when a conversation completes we will get a 'teardown/completed/deleted flow'. This is the only type we process from ASA devices. There is a command to only send the flows we need instead of all flows: flow-export event-type flow-teardown destination 1.2.3.4 It may be possible you can just add the event-type flow-teardown part to the normal ip flow-export destination 1.2.3.4 9995 command that you would to send netflow on non-ASA devices, but you might consult with the specific netflow config settings for that device to be sure.

Additional Information: Info on NSEL can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_nsel.html

 

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html#wp1109506